Social engineering is having a major impact on cybersecurity. Ironically though, it’s one of the most overlooked concerns when it comes to companies and organizations mapping out their cybersecurity solutions.

The primary reason social engineering is often ignored is that the associated security threats are targeted to untrained people who don’t know how to identify abnormal patterns. Since those patterns remain unidentified, mitigating potential cybersecurity attacks becomes that much more difficult.

The good news is that there’s a firm understanding of the need to “protect the kingdom.” The not so good news is that teaching the people inside the kingdom how to protect it continues to remain a challenge.

“The good news is that there’s a firm understanding of the need to “protect the kingdom.” The not so good news is that teaching the people inside the kingdom how to protect it continues to remain a challenge. ”

– Rene Cardona, Solutions Architect, VectorUSA

In this post, we take a look at the social engineering problem as a whole, its challenges and several associated problems. In my next post, we’ll examine those problems in more detail and address the solutions you need to ensure mitigating social engineering risk is part of your overall cybersecurity plan.

Understanding the minds behind the social engineering threat

In an information security (IS) context, the Oxford English Dictionary defines social engineering as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”

To fully understand the critical threat that social engineering poses to cybersecurity, it helps to understand the minds behind such nefarious activity. That means monitoring and identifying current and future cybersecurity threats and determining how to mitigate security vulnerabilities.

This might entail two-factor authentication because things like pre-shared keys are no longer secure. Companies and organizations need an additional layer of security. That way, if someone does obtain a secure passphrase, they’ll require further authentication to confirm if they’re actually entitled to gain network access.

The criminal minds behind social engineering continually scour user profiles which helps them thoroughly understand how people act and their daily activities which can all reveal how a user will behave. This then presents an opportunity to infiltrate a company or organization’s network.

Getting into the mind of someone who might be malicious helps to then determine how they’ll use social engineering to their advantage and penetrate a secure environment. That will ultimately protect the end user. However, network protection is never a one-and-done act and then forgotten. Network protection is an ongoing effort that never stops or sleeps.

Current challenges and problems

The biggest challenge with social engineering is limiting how much information end users expose. Posting information online, especially due to the growth of social media, has become second nature for most people. As a consequence, it’s hard to change someone’s mentality between their personal and work-related online activities.

“The biggest challenge with social engineering is limiting how much information end users expose.”

– Rene Cardona, Solutions Architect, VectorUSA

The biggest challenge with social engineering is limiting how much information end users expose. Posting information online, especially due to the growth of social media, has become second nature for most people. As a consequence, it’s hard to change someone’s mentality between their personal and work-related online activities.

That’s why, from a criminal’s viewpoint, it’s so intriguing for them to track what individuals are posting online and their social media activity in general. Because of this, educating employees about what they can and cannot post online is a tremendous obstacle.

Aside from such daunting challenges, there are several specific problems that need to be addressed as well. They include:

The importance of effective (and continued) cybersecurity training

Effective password management

Understanding the difference between authentic and spoof emails

Why phones even pose a threat to network penetration

Cybersecurity threats, including those related to social engineering, are constantly evolving. That’s why ongoing training is so vital. Careless use of passwords across your company or organization conveniently creates a funnel through which criminals can gain network access. Emails that appear legitimate, but aren’t, can fool even the wariest end user. While technically not an online threat, phones pose their own level of security risk.

Stay tuned for my next post where we’ll more fully examine all of these areas and provide recommendations that will help mitigate current and future social engineering cyber risks. We’ll also take a look at one of the most ill-protected industries today and how an organization in that industry successfully handled its own network vulnerabilities.